Overview

overview

10

Static

static

10

Client-built.exe

windows10-2004-x64

10

Client-built.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2025, 07:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    1.5MB

  • MD5

    efdf48328fd93af977682db2ac7b56ce

  • SHA1

    006abc06af3cdc20dd52588beb5ce4f13273f2db

  • SHA256

    dd1ff957df241c8301de5be805cbe9c484a9d3768e657afffc83a0697f881674

  • SHA512

    30f723977dd6006954f6fc19c23abf421c11a00845ba9dbbd9a465ce6c7a023f96bc641023a1833605cc0306d1e4a7371cee7e2f31bb755d02c25f548949f8d3

  • SSDEEP

    24576:uU1R7bTS2eWBRwRR16zhHIPbcNK0KKm77yviUSQaZaOwI55l2S62r9exnXWiA1Qx:uqRR7wR2EgKKm77LrwCB6T+1Q

Score
10/10
quasarspywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • encryption_key

    1FB7485171FF20CDA99F01C1B832D8813FC1E606

  • reconnect_delay

    3000

  • startup_key

    �&)M-Im�� c�hp����C��.��

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5328
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Pulsar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3616
    • C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5132
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Pulsar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:852

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system32\SubDir\Client.exe
    Filesize

    1.5MB

    MD5

    efdf48328fd93af977682db2ac7b56ce

    SHA1

    006abc06af3cdc20dd52588beb5ce4f13273f2db

    SHA256

    dd1ff957df241c8301de5be805cbe9c484a9d3768e657afffc83a0697f881674

    SHA512

    30f723977dd6006954f6fc19c23abf421c11a00845ba9dbbd9a465ce6c7a023f96bc641023a1833605cc0306d1e4a7371cee7e2f31bb755d02c25f548949f8d3

    Download Submit

  • memory/5132-13-0x000001DD69490000-0x000001DD694E0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/5132-18-0x000001DD69660000-0x000001DD6968A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/5132-24-0x000001DD699F0000-0x000001DD69AF2000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5132-10-0x00007FFBF0A80000-0x00007FFBF1541000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5132-23-0x00007FFBF0A80000-0x00007FFBF1541000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5132-11-0x00007FFBF0A80000-0x00007FFBF1541000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5132-21-0x000001DD69B30000-0x000001DD69B42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5132-22-0x000001DD69B90000-0x000001DD69BCC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5132-12-0x000001DD69400000-0x000001DD6943A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/5132-15-0x000001DD69440000-0x000001DD6948E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/5132-14-0x000001DD695A0000-0x000001DD69652000-memory.dmp

    Filesize

    712KB

    Download

  • memory/5132-17-0x000001DD69530000-0x000001DD6957A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/5132-16-0x000001DD694E0000-0x000001DD6952C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5328-2-0x0000022E67FB0000-0x0000022E67FCA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5328-0-0x00007FFBF0A83000-0x00007FFBF0A85000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5328-1-0x0000022E67A40000-0x0000022E67BD2000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/5328-9-0x00007FFBF0A80000-0x00007FFBF1541000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5328-3-0x00007FFBF0A80000-0x00007FFBF1541000-memory.dmp

    Filesize

    10.8MB

    Download